Craig Burton first achieved prominence as the Senior Vice President of Corporate Marketing and Development who drove Novell's innovation and market strategies in the days when it was aggressively turning computing upside down. Some years later he founded the Burton Group with Jamie Lewis. Today he is a Distinguished Analyst for Kuppinger Cole, where he just published an intriguing response to the blogs John and I have been doing: Microsoft is Finally Being Relevant.

For now I'll refrain from comment and just offer up the goods:

Microsoft is Finally Being Relevant
Surprise surprise. For the last few years it looked as if the battling business units and power struggles within Microsoft had all but rendered the company incapable of doing anything innovative or relevant. But clearly something has happened to change this lack of leadership and apparent stumbling in the dark. Microsoft is not only doing something innovative — but profoundly innovative.

In a dual post by Microsoft’s John Shewchuk and Kim Cameron, the announcement was made about what Kim Cameron alluded to at the KuppingerCole EIC in April — Identity Management as a Service (IDMaaS). This is not trivial, and does not suck. It ROCKS.Why is Identity Management as a Service a Big Deal
From a technical perspective, the place where innovation really makes a difference is the place where the rubber meets the road — infrastructure. Infrastructure is not only fundamental—as it provides the technical framework and underpinning to support big change — but infrastructure is hard.

It’s also hard to get funded and hard to sell both outside and inside of companies that make infrastructure.

This is because there is little possibility of showing a direct ROI in core infrastructure investment. It takes vision and guts to invest in infrastructure.

Nobody wants to buy identity infrastructure. In fact no one should have to pay for identity infrastructure. It should be ubiquitous, work, and be free to everyone and controlled by no one. Infrastructure at this level is as fundamental as air. You don’t think about it, you don’t buy it; you just breathe it in and out and get on with the details.

Metaphorically, when it comes to the maturity of identity infrastructure today—we are all sucking on thin air from teeny tubes of infrastructure veneer connected to identity silos (Facebook Connect, Twitter, Federated Identity and so on.)

It’s much like the other core suite of protocols of the Internet — like TCP/IP. TCP/IP is free as far as a piece of software goes. No one ever pays for the transport anymore.

So should be the protocols and infrastructure for doing Identity Management. With this announcement Microsoft is showing that it understands Identity Infrastructure is fundamental to everything in the hybrid world of social-mobile-cloud networking that we are stumbling towards.

Further, Microsoft is making it clear it understands that the current identity provider-centric world we live in now is broken and simply will not work for the future. Significant movement forward from this wretched state requires massive change — which is what Microsoft is proposing.

From a political and business perspective, Kim Cameron’s vision of a ubiquitous Identity Metasystem has somehow prevailed inside Microsoft and is starting to emerge. This is a big deal. Finally a company with lots of talent that has been wallowing from lack of leadership has stepped up and put a stake in the ground about Identity. Bravo!

Everybody else of significance that could be doing something significant with identity infrastructure — Google, Facebook, and Amazon for starters — are trapped in their current business models of trafficking your identity for short term profit. For each of them, the little piece they hold captive of your identity is the product by which they are making money. This is both short sighted and unsustainable.

Microsoft’s plan is much grander. Invest in the hard stuff, solve the really tough identity infrastructure problems across the board—simple, private, and scalable. By taking this high road, Microsoft is betting it can take the leadership role by increasing the size of the pie for other SaaS services and apps that organizations and individuals want and are willing to pay for. Much more visionary that continuing to fight over whatever crumb you can get based on the current broken model.

If Microsoft is allowed to pull this off, it is a good thing.Stop Gushing and Lay it Out for Me
To understand the significance of IDMaaS, it’s useful to take a quick look at how identity management systems have evolved.

Figure 1 shows how identities started out being managed within the boundaries of a domain. Domain-based identity managed need hardly be mentioned here as it can’t possibly meet any of the requirements for identity management in today’s organizational environments. For its day, it worked and it was a good place to start.

Figure 1: Domain Contained Identity

Figure 2 illustrates the first generation of federated identity management systems. This is a powerful model and was a big step forward from the domain model. In this model there is a service provider that accepts claims from an identity provider. A person can then prove who they are to the identity provider and present claims to the service provider to assure proper access to services and resources. This model works when these a relatively small number of parties involved. But as soon as there a diverse number of parties, it quickly breaks down.

Figure 2: Identity Federation Model

Figure 3 shows the scenario with diverse people with diverse relationships with different IPs. When you add diverse and numerous types of devices — cell phones, tablets, laptops and so on — it even makes the case stronger as to why the current federated identity model is reaching its limits.

Figure 3: Diverse People and Devices

So if the Federated Identity model doesn’t work, what will? Figure 4 shows one school of thought were a single IP can somehow grow big enough and inclusive enough, it can manage all of the identity claims of all entities. This architecture is both frightening and poorly thought out. People and organizations need to have the freedom of choice of how their identities are managed and not be locked into an identity management silo of a single provider.

Figure 4: Omni Identity Provider

Figure 5 is another — simpler — graphic showing how a single organization could have federated relationships with multiple constituents. Again, this approach works to a point, but as soon as you consider the impact of the identity explosion brought on by — cloud computing, social computing, mobile computing, and the API economy — this approach simply won’t do the job.

Figure 5: Organization Federated to Many Constituents

Figure 6 then, shows the simplified notion of the IDMaaS architecture. Any number of organizations, constituents or entities can generate and consume claims through the service in the cloud.

Figure 6: Any Entity and Any Number of Entities

Of course Figure 6 doesn’t very effectively illustrate what the three black dots really mean. With the identity explosion we are talking about, the number of entities that are inevitable are several orders of magnitude bigger than anything we have even thought about up to this point.

We are in new territory, it is very unclear what is going to happen as a result all of this.

The fact that Microsoft seems to be acknowledging this fact and is working with vision to address the matter is highly encouraging.

We are not seeing this kind of vision — or anything close to it — from any other major vendor to date.Caveats
The biggest problem I see here is Microsoft itself. It isn’t like Microsoft has the reputation of always taking the high road to enhance technology to the benefit of all. To the contrary, Microsoft has the reputation of pretending to take the high road with an “embrace and extend-like” position while executing an exacting and calculating “embrace and execute” practice. Microsoft has become the arrogant elephant to dance with that IBM once was. Microsoft’s past is going to be difficult to shed and it will be a significant effort to convince others that the elephant won’t trample on everyone when it gets the chance.

Will Microsoft follow up on allowing true “Freedom of Choice” for the customer? (Think interoperability. i.e. IDMaaS from any vendor, not just MSFT)

Will the RESTful implementation be usable?

Can the technology transcend the limitations of Kerberos and LDAP as it moves Active Directory to the cloud?

Summary
My explanation is a simplified one, but if you study it a bit, you will start to see where Microsoft is going.

In short, the vision of an Identity Metasystem based on Identity Management as a Service is brilliant thinking.

The proof will be found in how Microsoft executes.

There is a lot to work out here to show if this can really work. But I believe it can happen. Microsoft is in a good position to garner the expertise to give us this first implementation so organizations and people can start to vet the idea and see if this can really fly.

I will be anxious to watch carefully at the progress of this direction.

I don't mind taking a few knocks from Craig, and don't think this would be the place to respond to them, even if I do think that the interoperable claims based identity technology we have been building and shipping for the last few years is the rocket fuel needed to “transcend the limitations of Kerberos and LDAP as we move Active Directory to the cloud” – one of his main concerns.

But why quibble? Craig really gets what's important. I like the fact that he takes the time to explain why Identity Management as a Service really is a big deal. I suspect part of what he is saying is that it dwarfs the incremental changes we have seen over the last few years because it will impact every mainstream technology.

Craig's points about why infrastructure is hard are all golden, as is his wonderfully simple statement that “the current identity provider-centric world we live in now is broken and simply will not work for the future.”

As for the tough questions, execution can only be judged by looking at what is shipped and how it evolves over time. I'd like to take up the more general, IdMaaS-related questions in upcoming posts. John will be talking in his posts specifically about our RESTful implementation and providing readers with access so they can judge for themselves and give us feedback. At a practical level, we will be making things available incrementally in cloud time, adding breadth and depth as we go on. This whole aspect of cloud innovation makes it hugely exciting.

By the way, I love Craig's elephant – I only wish I could dance so well, metaphorically at least. I also love his graphics: he improved and extended the amateur ones I used in my European Identity and Cloud Conference keynote. So if it's OK with him, I'm going to pitch my own and go with his in my upcoming posts. Thanks Craig.

Since identity is a fundamental requirement of computing infrastructure, organizations have been involved in digital identity management for decades. Over the years, three models have emerged and co-existed. Of course I'm tempted to skip the history and jump headfirst into what's new and fresh today. But I think it is important to begin by reviewing the earlier models so we can get crisp about how the IdMaaS model differs from what has gone before. (Some day people who want to skip the previous models will be able to click here.)

Firewall Era Identity Model

Enterprise identity technology evolved incrementally from mainframe days using the concept of administrative and security “domains”: collections of resources tightly integrated under a single, closed organizational administration.

To control access to networks, computers, applications and information stores, it was necessary to identify them and recognize their legitimate users – whether people or software services. This required registration systems – often called directories – through which human and non-human identity records could be created, retrieved, updated and deleted (CRUD). In the domain paradigm identity management was thought to be the CRUD and little more.

While closed administrative domains were simple in theory, business requirements drove enterprises to adopt an assortment of unrelated internal systems and applications. Most came with their own independent user directories. Enterprises ended up with hundreds of different systems that had to be administered independently and would soon diverge.

With the advent of network PCs, we began to see Network Operating System domains that were collections of PC's working in conjunction with servers. Banyan‘s StreetTalk and Novell's Netware were both gamechanging products that introduced LAN directory coupled with identity management and authentication capabilities, but over time Active Directory achieved predominance as the administrative and security domain for PC users and applications. These products greatly simplified management of personal computers but the plethora of specialized business systems remained. In fact some enterprises ended up with multiple Active Directories.

A category of Identity Management integration products arose as a response to these problems: a dizzying array of often brittle point products and tools that could only be deployed at high cost by skilled specialists. They generally had to be customized to the point of being one-off solutions that paradoxically made the legacy even harder for customers to unravel.

In retrospect the most striking characteristic of the domain based model is that each domain spoke with absolute authority. It named things and asserted their attributes. The machines, services and administrators that were part of the domain took its assertions as being unquestionable. Trust for the domain was a condition of membership. There was no need for the evaluation of assertions since they came from the domain and the domain was right by definition.

Another characteristic was that each domain created identifiers within a namespace it controlled and they could be used to access the information about domain members and components by any entity the domain authorized. Systems typically employed a single namespace, and services used the same identifiers that were associated with domain components and users at authentication time.

In other words, until domains began to collide, it was a pretty simple world. Conversely, in todays interconnected and permeable world, most of the assumptions underlying the domain apply with growing caveats.

Internet-facing Identity Model

The explosion of the Internet surrounded the closed enterprise security domains with outward-facing systems aimed at customers and suppliers.

Once Web usage went beyond public applications like PR and advertising, organizations discovered that to enhance relationships with individual customers – and ultimately do e-Business – they needed ways to register them over the web. Customers and suppliers were seen as a different category of domain object, but the systems built for them still followed the domain model. Anything the domain said about its customer or supplier was taken to be true by all the applications in it.

Consumer and supply chain identity management was most often customized on top of existing business databases that were completely independent from the directories of employees maintained inside the corporate firewall.

This created problems in linking employees with customers. In the wake of mergers and acquisitions, companies struggled to deliver a unified experience to customers across multiple business units with diverse origins, and competition drove them to seek more unified identity and resource management services.

The Identity Management market thus expanded to include products that performed single sign-on and unified access control across a set of colliding domains, accompanied by large expenditures on hand-crafted integration projects.

The software giant begins talking publicly about Windows Azure Active Directory service and its strategy to use it as the foundation for its Identity Management as a Service strategy.

That's an interesting take on things. But is “Identity Management as a Service” actually a strategy? I wonder. In my thinking it is an inevitability. In other words, IDMAAS is the world we will end up in rather than the means of getting there.

So I think it is more accurate to say, as ZDNet also does, that Microsoft's strategy is to use Windows Azure Active Directory as the vehicle through which it offers Identity Management as a Service.

I hope this distinction doesn't appear overly picky… I just call it out because I would like to see our conversation focus primarily on what Identity management as a service must be. After all, if we don't get that right, the best strategy for getting there will be largely irrelevant.

But enough of this. John Fontana cuts to the chase:

After two years of work, Microsoft has unveiled details and its strategy around Active Directory for the cloud, anointing it the centerpiece of a comprehensive online identity management services strategy it thinks will profoundly alter the ID landscape.

The company said changes to the current concepts around identity management need a “reset” to handle the “social enterprise.” Microsoft says it is “reimagining” how its Windows Azure Active Directory (WAAD) service helps developers create apps that connect the directory to SaaS apps and cloud platforms, corporate customers and social networks.

“The term ‘identity management’ will be redefined to include everything needed to provide and consume identity in our increasingly networked and federated world,” Kim Cameron, an icon in the identity field and now a distinguished engineer working on identity at Microsoft, said on his blog. “This is so profound that it constitutes a ‘reset’.”

At the center is WAAD, which is in use today mostly with Office 365 and Windows Intune customers. WAAD is a multitenant service designed for high availability and Internet scale.

In a companion blog post to Cameron’s, John Shewchuk, a Microsoft Technical Fellow and key cog in the company’s cloud identity engineering, provided some details on WAAD, including new Internet-focused connectivity, mobility and collaboration features to support applications that run in the cloud.

Shewchuk said the aim is to support technologies such as Java, and apps running on mobile devices including the iPhone or other cloud platforms such as Amazon’s AWS.

Shewchuk said WAAD will be the cloud extension to on-premises Active Directory deployments enterprises have already made. The two are married using identity federation and directory synchronization.

He said Microsoft made “significant changes to the internal architecture of Active Directory” in order to create WAAD.

As an example, he said, “Instead of having an individual server operate as the Active Directory store and issue credentials, we split these capabilities into independent roles. We made issuing tokens a scale-out role in Windows Azure, and we partitioned the Active Directory store to operate across many servers and between data centers.”

Some analysts are already noting the challenges Microsoft will have with its cloud directory.

While Shewchuk laid out the set-up for a Part 2 of his blog that will focus on enhancements to WAAD, Kim Cameron painted the bigger picture on cloud identity going forward.

He said companies adopting cloud technology will see dramatic changes over the next decade in the way identity management is delivered. “We all need to understand this change,” he stressed.

Cameron said identity management as a service “will use the cloud to master the cloud”, and will provide the most reliable and cost-effective options.

“Enterprises will use these services to manage authentication and authorization of internal employees, the supply chain, and customers (including individuals), leads and prospects. Governments will use them when interacting with other government agencies, enterprises and citizens.”

And he added that enterprises will have to move beyond concepts that have guided their thinking to date.

I'll be interested in hearing more about Mark Diodati's views. I think he is right to say that you can't just hoist Kerberos-based AD into the sky and claim you've solved the world's problems.

But that's why we have spent years now embedding web protocols like SAML into AD so that it could federate and become part of the Cloud. The truth is that Windows Azure Active Directory has already transcended Kerberos – it tips its hat to the predominance of things like OpenID and OAuth on the Internet. And this is but one example of a whole change in attitude.

Wait. I'm already ahead of myself – getting into details about my little corner of reality before we've even defined a landscape…

[While we're at it, I notice that John Fontana, a tried and true bellweather when it comes to language, happily uses the acronym “WAAD” while refusing to taint himself with “IDMAAS”: hmmmm… could it be a sign?]

The keynote led to many interesting exchanges with others at the conference. The conversations ranged from violent agreement to “animated dissidence” – and most important, to the discussion of many important nuances.

It became clear to me that a lot of us involved with information technology could really benefit from an open exchange about these issues. We have the chance to accelerate and align our understanding and to explore the complexities and opportunities.

So today I'd like to take a first step in that direction and lay out a few high level ideas that I'll flesh out more concretely in upcoming posts. I hope these will goad some of you into elaborating, pushing back, and taking our conversation in other completely different directions.

Preparing for dramatic change

To me, the starting point for this conversation is that Identity Management and the way it is delivered will change dramatically over the next decade as organizations respond to new economic and social imperatives by adopting cloud technology.

We all need to understand this change.

Organizations will find they need new identity management capabilities to take full advantage of the cloud. They will also find that the most reliable and cost-effect way to obtain these capabilities is through Identity Management as a Service – i.e. using the cloud to master the cloud.

We can therefore predict with certainty that almost all organizations will subscribe to identity services that are cheaper, broader in scope and more capable than the systems of today.

Enterprises will use these services to manage authentication and authorization of internal employees, the supply chain, and customers (including individuals), leads and prospects. Governments will use them when interacting with other government agencies, enterprises and citizens.

Identity Management As A Service will require that we move beyond the models of identity management that have guided our thinking to date. A new service-based model will emerge combining more advanced capabilities with externalization of operations to achieve reduction in risk, effort and cost.

Redefining Identity Management

The term “Identity Management” will be redefined to include everything needed to provide and consume identity in our increasingly networked and federated world. This is so profound that it constitutes a “reset”.

As a category, Identity Management will expand to encompass all aspects of identity:

registration of people, organizations, devices and services;
management of credentials;

collection and proofing of attributes;

claims issuance;

claims acceptance;

assignment of roles;

management of groups;

cataloging of relationships;

maintenance of personalization information;

storage and controlled publication of information through directory;

confidential auditing; and

assurance of compliance.

The baseline capability of Identity Management will be to enhance the security and privacy of both organizations and individuals.

There will be a new market of next-generation identity management service providers with characteristics shaped by the importance of identity for both the protection of assets and the enhancement of relationships as we enter the era of the social enterprise.

Meanwhile, the current market for identity management products will be challenged by the simplification, cost reduction and increased innovation possible in the cloud.

Going forward, the term Identity Management As A Service will come up so often that we need an acronym. For the time being I'm going to adopt the one my friend Eric Norlan proposed over six years ago : IDMaaS. While we're at it, it is worth looking at Eric's prescient article in ZDNet – he wrote it back in 2006 when he was a partner at Digital ID World. Eric reports on a conversation where Jamie Lewis (then CEO of the Burton Group) argued that “companies would find identity data too important to hand-over to others” – a view that certainly described the way enterprises felt at that time. These issues are still critically important, though many profound evolutions have, I think, transformed the variables in the equations. These new variables will be ones we want to drill into going forward.

Microsoft and IDMaaS

One of the reasons I want to share my thoughts about Identity Management as a Service now is that they constitute part of the theoretical framework that lies behind many of the decisions about the kind of organizational identity service we at Microsoft are offering.

I'm therefore really excited to say that today we are able to start bringing you up to speed on exactly what that is. Here's a quote from today's blog post by my close colleague and friend John Shewchuk, the Technical Fellow who plays a key role in getting our cloud identity offering engineered right:

What is Windows Azure Active Directory?

We have taken Active Directory, a widely deployed, enterprise-grade identity management solution, and made it operate in the cloud as a multitenant service with Internet scale, high availability, and integrated disaster recovery.

Since we first talked about it in November 2011, Windows Azure Active Directory has shown itself to be a robust identity and access management service for both Microsoft Office 365 and Windows Azure–based applications.

In the interim, we have been working to enhance Windows Azure Active Directory by adding new, Internet-focused connectivity, mobility, and collaboration capabilities that offer value to applications running anywhere and on any platform. This includes applications running on mobile devices like iPhone, cloud platforms like Amazon Web Services, and technologies like Java.

The easiest way to think about Windows Azure Active Directory is that Microsoft is enabling an organization’s Active Directory to operate in the cloud. Just like the Active Directory feature in the Windows Server operating system that operates within your organization, the Active Directory service that is available through Windows Azure is your organization’s Active Directory. Because it is your organization’s directory, you decide who your users are, what information you keep in your directory, who can use the information and manage it, and what applications are allowed to access that information. And if you already have on-premises Active Directory, this isn’t an additional, separate copy of your directory that you have to manage independently; it is the same directory you already own that has been extended to the cloud.

Meanwhile, it is Microsoft’s responsibility to keep Active Directory running in the cloud with high scale, high availability, and integrated disaster recovery, while fully respecting your requirements for the privacy and security of your information.

John's post is called Reimagining Active Directory for the Social Enterprise. It's done in two parts, and following that John will join into our broader conversation about the identity management reset. I hope the combination of our two blogs can help animate an industry-wide discussion while providing a specific channel through which people can get the information they need about Microsoft's identity service offering.

Later this week: The Changing Model of Identity Management. I hope to see you there.

By now everyone has seen the “this stuff matters” box on Google's search page. The “This stuff matters” message is pretty interesting – it sounds like Google understands our concerns and is taking them seriously. On that basis I expect many people – fearing another 80 page privacy policy – will just move on to get their search result.

But some will actually take the time to follow the link. And what they'll see actually is important.

First, they'll find out that beginning this Thursday Google will amalgamate all the information it has about their activities and postings on all of Google's sites and services into a single account profile. This in spite of the fact that most people put content on those sites and entered queries into Google search pages thinking the information was limited to the specific context in which they were participating.

Second, they'll find out that as customers they have no choice about the matter. Even though in many cases they have helped create the knowledge and content that makes Google successful, their option if they dislike the policy is to completely stop using Google sites by Wednesday February 29th 2012.

Of course all of this is perfectly in keeping with the creepy “Real Names” initiative forced upon us a few months ago. At that time, we were told “Real Names” only applied to “certain Google sites” – like Google+. What a surprise that so little time later, ALL account and profile information from ALL Google properties is being amalgamated under a single privacy and identity policy! As we predicted, Real Names is slithering into the whole fabric of the company's offerings, whether specific sites benefit from what will often be “over-identification” or not.

Happily, one group of people who actually bothered to look into the change were the Attorneys General of the United States. Today they published a cogent and devastating letter that does an admirable job of enumerating the many deeply disturbing implications of Google's latest identity initiative. It begins,

“Google’s new privacy policy is troubling for a number of reasons. On a fundamental level, the policy appears to invade consumer privacy by automatically sharing personal information consumers input into one Google product with all Google products. Consumers have diverse interests and concerns, and may want the information in their Web History to be kept separate from the information they exchange via Gmail. Likewise, consumers may be comfortable with Google knowing their Search queries but not with it knowing their whereabouts, yet the new privacy policy appears to give them no choice in the matter, further invading their privacy. It rings hollow to call their ability to exit the Google products ecosystem a “choice” in an Internet economy where the clear majority of all Internet users use – and frequently rely on – at least one Google product on a regular basis.”

The Attorneys General then go on to discuss the contagion between Google's consumer offerings and their enterprise ones… What does this kind of identity grab mean for companies and governments who have put corporate and state information under Google's stewardship? Can the companies who steward the resources of the World Wide Web change their privacy and other policies in radical and even maniacal ways without regard to the policies in effect when those resources were created? Can they simply tell those who have bought into previous promises to either accept their brave new world or “take a walk”? As the attorneys put it,

“This invasion of privacy will be costly for many users to escape. For users who rely on Google products for their business – a use that Google has actively promoted1 – avoiding this information sharing may mean moving their entire business over to different platforms, reprinting any business cards or letterhead that contained Gmail addresses, re-training employees on web-based sharing and calendar services, and more. The problem is compounded for the many federal, state, and local government agencies that have transitioned to Google Apps for Government at the encouragement of your company, and that now will need to spend taxpayer dollars determining how this change affects the security of their information and whether they need to switch to different platforms.”

Not long ago, John Fontana suggested we get together to discuss the degree to which the Laws of Identity remain relevant seven years after they were published. I look forward to that conversation. Google's actions show there are still companies who could benefit from reading them. After all, it is clearly breaking three Laws of Identity:

Law 1: User Control and Consent. Users should never have identity information merged or divulged without their consent.

Law 2: Minimal Disclosure for a Constrained Use. It is wrong to link all information pertaining to a user across different contexts when it was provided for specific uses.

Law 4: Directed Identity. Systems should not create unnecessary correlation across different contexts unless people opt to do that. They thus should be able support identitfiers that are limited to specific scopes – as has been the case at Google's sites until now.

New York TImes Technology ran a story yesterday about the publishing industry that is brimming with implications for almost everyone in the Internet economy. It is about Amazon and what marketing people call “disintermediation”. Not the simple kind that was the currency of the dot.com boom; we are looking here at a much more advanced case:

SEATTLE — Amazon.com has taught readers that they do not need bookstores. Now it is encouraging writers to cast aside their publishers.

Amazon will publish 122 books this fall in an array of genres, in both physical and e-book form. It is a striking acceleration of the retailer’s fledging publishing program that will place Amazon squarely in competition with the New York houses that are also its most prominent suppliers.

It has set up a flagship line run by a publishing veteran, Laurence Kirshbaum, to bring out brand-name fiction and nonfiction…

Publishers say Amazon is aggressively wooing some of their top authors. And the company is gnawing away at the services that publishers, critics and agents used to provide…

Of course, as far as Amazon executives are concerned, there is nothing to get excited about:

“It’s always the end of the world,” said Russell Grandinetti, one of Amazon’s top executives. “You could set your watch on it arriving.”

But despite the sarcasm, shivers of disintermediation are going down the spines of many people in the publishing industry:

“Everyone’s afraid of Amazon,” said Richard Curtis, a longtime agent who is also an e-book publisher. “If you’re a bookstore, Amazon has been in competition with you for some time. If you’re a publisher, one day you wake up and Amazon is competing with you too. And if you’re an agent, Amazon may be stealing your lunch because it is offering authors the opportunity to publish directly and cut you out. ” [Read whole story here.]

If disintermediation is something you haven't thought about much, you might start with a look at wikipedia:

In economics, disintermediation is the removal of intermediaries in a supply chain: “cutting out the middleman”. Instead of going through traditional distribution channels, which had some type of intermediate (such as a distributor, wholesaler, broker, or agent), companies may now deal with every customer directly, for example via the Internet. One important factor is a drop in the cost of servicing customers directly.

Note that the “removal” normally proceeds by “inserting” someone or something new into transactions. We could call the elimination of bookstores “first degree disintermediation” – the much-seen phenomenon of replacement of the existing distribution channel. But it seems intuitively right to call the elimination of publishers “second degree disintermediation” – replacement of the mechanisms of production, including everything from product development through physical manufacturing and marketing, by the entities now predominating in distribution.

The parable here is one of first degree disintermediation “spontaneously” giving rise to second degree disintermediation, since publishers have progressively less opportunity to succeed in the mass market without Amazon as time goes on. Of course nothing ensures that Amazon's execution will cause it to succeed in a venture quite different from its current core competency. But clearly the economic intrinsics stack the deck in its favor. Even without displacing its new competitors it may well skim off the most obvious and profitable projects, with the inevitable result of underfunding what remains.

I know. You're asking what all this has to do with identityblog.

In my view, one of the main problems of reusable identities is that in systems like SAML, WS-Federation and Live ID, the “identity provider” has astonishing visibility onto the user's relationship with the relying parties (e.g. the services who reuse the identity information they provide). Not only does the identity provider know what consumers are visiting what services; it knows the frequency and patterns of those visits. If we simply ignore this issue and pretend it isn't there, it will become an Achilles Heel.

Let me fabricate an example so I can be more concrete. Suppose we arrive at a point where some retailer decides to advise consumers to use their Facebook credentials to log in to its web site. And let's suppose the retailer is super successful. With Facebook's redirection-based single sign-on system, Facebook would be able to compile a complete profile of the retailer's customers and their log-on patterns. Combine this with the intelligence from “Like” buttons or advertising beacons and Facebook (or equivalent) could actually mine the profiles of users almost as effectively as the retailer itself. This knowledge represents significant leakage of the retailer's core intellectual property – its relationships with its customers.

All of this is a recipe for disintermediation of the exact kind being practiced by Amazon, and at some point in the process, I predict it will give rise to cases of spine-tingling that extend much more broadly than to a single industry like publishing.

By the time this becomes obvious as an issue we can also predict there will be broader understanding of “second degree disintermediation” among marketers. This will, in my view, bring about considerable rethinking of some current paradigms about the self-evident value of unlimited integration into social networks. Paradoxically disintermediation is actually a by-product of the privacy problems of social networks. But here it is not simply the privacy of end users that is compromised, but that of all parties to transactions.

This problem of disintermediation is one of the phenomena leading me to conclude that minimal disclosure technologies like U-Prove and Idemix will be absolutely essential to a durable system of reusable identities. With these technologies, the ability of the identity provider to disintermediate is broken, since it has no visibility onto the transactions carried out by individual users and cannot insert itself into the relationship between the other parties in the system.

Importantly, while disintermediation becomes impossible, it is still possible to meter the use of credentials by users without any infringement of privacy, and therefore to build a viable business model.

I hope to write more about this more going forward, and show concretely how this can work.

It seems a number of people take the use of “real names” on the Internet as something we should all just accept without further thought. But a recent piece by Gartner Distinguished Analyst Bob Blakley shows very clearly why at least a bit of thought is actually called for – at least amongst those of us building the infrastructure for cyberspace:

… Google is currently trying to enforce a “common name” policy in Google+. The gist of the policy is that “your Google+ name must be “THE” name by which you are commonly known”.

This policy is insane. I really mean insane; the policy is simply completely divorced from the reality of how names really work AND the reality of how humans really work, and it’s also completely at odds with what Google is trying to achieve with G+. (my emphasis – Kim)

The root of the problem is that Google suffers from the common – but false – belief that names are uniquely and inherently associated with people. I’ve already explained why this belief is false elsewhere, but for the sake of coherence, I’ll summarize here.

There isn’t a one-to-one correspondence between people and names. Multiple people share the same name (George Bush, for example, or even me: George Robert Blakley III), and individual people have multiple names (George Eliot, George Sand, George Orwell, or Boy George – or even me, George Robert “Bob” Blakley III). And people use different names in different contexts; King George VI was “Bertie” to family and close friends.

THERE IS NO SUCH THING AS A “REAL” NAME.

A name is not an attribute of a person; it is an identifier of a person, chosen arbitrarily and changeable at will. In England, I can draw up a deed poll in my living room and change my name at any time I choose, without the intervention or assistance of any authority. In California, I apparently don’t even need to write anything down: I can change my name simply by having people call me by the new name on the street.

COMMON NAMES ARE NOT SINGULAR OR UNIQUE.

Richard Garriott is COMMONLY known as “Richard Garriott” in some contexts (check Wikipedia), and COMMONLY known as Lord British in other contexts (go to a computer gaming convention). Bob Wills and Elvis are both “The King”.

Despite these complexities, Google wants to intervene in your choice of name. They want veto power over what you can call yourself.

Reversing the presumption that I choose what to be called happens – in the real world – only in circumstances which diminish the dignity of the individual. We choose the names of infants, prisoners, and pets. Imposing a name on someone is repression; free men and women choose their names for themselves.

Google+’s naming policy isn’t failing because it’s poorly implemented, or because Google’s enforcement team is stupid. It’s failing because what they’re trying to do is (1) impossible, and (2) antisocial.

(2) is critical. Mike Neuenschwander has famously observed that social software is being designed by the world’s least sociable people, and Google+ seems to be a case in point. Google wants to be in the “social” business. But they’re not behaving sociably. They’re acting like prison wardens. No one will voluntarily sign up to be a prisoner. Every day Google persists in their insane attempt to tell people what they can and can’t call themselves, Google+ as a brand becomes less sociable and less valuable. The policy is already being described as racist and sexist; it’s also clearly dangerous to some disadvantaged groups.

If you want to be the host of a social network, you’ve got to create a social space. Creating a social space means making people comfortable. That’s hard, because people don’t fit in any set of little boxes you want to create – especially when it comes to names. But that’s table stakes for social – people are complicated; deal with it. Facebook has an advantage here; despite its own idiotic real-names policy and its continual assaults on privacy, the company has real (i.e. human) sociability in its DNA – it was created by college geeks who wanted to get dates; Google+ wasn’t, and it shows.

If Google’s intention in moving into social networking is to sell ads, Google+’s common names policy gives them a lock on the North American suburban middle-aged conservative white male demographic. w00t.

The Google+ common name policy is insane. It creates an antisocial space in what is supposed to be a social network. It is at odds with basic human social behavior; its implementation is NECESSARILY arbitrary and infuriating, and it is actively damaging the Google+ brand and indeed the broader Google brand.

The problem is not flawed execution; it is that the policy itself is fundamentally unsound, unworkable, and unfixable.

Google can be a social network operator, or they can be the name police. They can’t be both. They need to decide – soon. If I were Google, I’d scrap the policy – immediately – and let people decide for themselves what they will be called.

If you are interested in social networks, don't miss the slick video about Max Schrems’ David and Goliath struggle with Facebook over the way they are treating his personal information. Click on the red “CC” in the lower right-hand corner to see the English subtitles.

Max is a 24 year old law student from Vienna with a flair for the interview and plenty of smarts about both technology and legal issues. In Europe there is a requirement that entities with data about individuals make it available to them if they request it. That's how Max ended up with a personalized CD from Facebook that he printed out on a stack of paper more than a thousand pages thick (see image below). Analysing it, he came to the conclusion that Facebook is engineered to break many of the requirements of European data protection. He argues that the record Facebook provided him finds them to be in flagrante delicto.

The logical next step was a series of 22 lucid and well-reasoned complaints that he submitted to the Irish Data Protection Commissioner (Facebook states that European users have a relationship with the Irish Facebook subsidiary). This was followed by another perfectly executed move: setting up a web site called Europe versus Facebook that does everything right in terms using web technology to mount a campaign against a commercial enterprise that depends on its public relations to succeed.

Europe versus Facebook, which seems eventually to have become an organization, then opened its own YouTube channel. As part of the documentation, they publicised the procedure Max used to get his personal CD. Somehow this recipe found its way to reddit where it ended up on a couple of top ten lists. So many people applied for their own CDs that Facebook had to send out an email indicating it was unable to comply with the requirement that it provide the information within a 40 day period.

If that seems to be enough, it's not all. As Max studied what had been revealed to him, he noticed that important information was missing and asked for the rest of it. The response ratchets the battle up one more notch:

Dear Mr. Schrems:

We refer to our previous correspondence and in particular your subject access request dated July 11, 2011 (the Request).

To date, we have disclosed all personal data to which you are entitled pursuant to Section 4 of the Irish Data Protection Acts 1988 and 2003 (the Acts).

Please note that certain categories of personal data are exempted from subject access requests.
Pursuant to Section 4(9) of the Acts, personal data which is impossible to furnish or which can only be furnished after disproportionate effort is exempt from the scope of a subject access request. We have not furnished personal data which cannot be extracted from our platform in the absence of is proportionate effort.

Section 4(12) of the Acts carves out an exception to subject access requests where the disclosures in response would adversely affect trade secrets or intellectual property. We have not provided any information to you which is a trade secret or intellectual property of Facebook Ireland Limited or its licensors.

Please be aware that we have complied with your subject access request, and that we are not required to comply with any future similar requests, unless, in our opinion, a reasonable period of time has elapsed.

For example, as I wrote here (and Max describes here), Facebook's “Like” button collects information every time an Internet user views a page containing the button, and a Facebook cookie associates that page with all the other pages with “Like” buttons visited by the user in the last 3 months.

If you use Facebook, records of all these visits are linked, through cookies, to your Facebook profile – even if you never click the “like” button. These long lists of pages visited, tied in Facebook's systems to your “Real Name identity”, were not included on Max's CD.

Is Facebook prepared to argue that it need not reveal this stored information about your personal data because doing so would adversely affect its “intellectual property”?

It will be absolutely amazing to watch how this issue plays out, and see just what someone with Max's media talent is able to do with the answers once they become public.

The result may well impact the whole industry for a long time to come.

Meanwhile, students of these matters would do well to look at Max's many complaints:

Excessive processing of Data.Facebook is hosting enormous amounts of personal data and it is processing all data for its own purposes.
It seems Facebook is a prime example of illegal “excessive processing”.

Like Button.
The Like Button is creating extended user data that can be used to track users all over the internet. There is no legitimate purpose for the creation of the data. Users have not consented to the use.

Obligations as Processor.
Facebook has certain obligations as a provider of a “cloud service” (e.g. not using third party data for its own purposes or only processing data when instructed to do so by the user).

Does ANYONE who has thought about digital identity in the last five years NOT know about Identity Woman? I don't think so!

I personally know hundreds – I'll even say thousands – of influential people around the world (in Europe, Asia and North America, in big companies and tiny startups, in government, the Academic world and NGOs, in non-profit and for-profit ventures) who see Identity Woman as I do: the soul of a very broad and interactive technical community, a moral force for good and excellence, and a smart innovator. Besides that, did I say, a great lady and a superheroine?

Identity Woman is a super-talented facilitator – who operates outside the box. She has thrown herself into the task of getting a whole world of self-directed people working on identity for companies big and small to understand each other – and even to learn from and motivate each other.

So what would you think of someone who took it upon themselves to stop her from calling herself “Identity Woman”? Does the word “control freak” come to mind? How about “bully”. Or maybe “megalomaniac”?

Or how about Google Plus – the supposedly cool and privacy friendly new social network.

It turns out Google Plus is not cool enough to tolerate even a single “Identity Woman”, in spite of her overwhealmingly positive reputation and the fact that an exact search on her name returns 390,000 hits on Google's own search engine!

This is not a good day. I'm sick and tired of seeing social network moguls pushing people around because we help them grow powerful. Enough already! Social networks are big because they are OUR networks. They need to be run in ways that respect the nature of a free society. This is going to become a social battleground.

Go over to Identity Woman's site for the whole sad story. It teaches a lot about the need for a whole spectrum of identity requirements. Sure, there are times when people need to present “natural” identities that reflect what their parents called them. But in real life we don't necessarily do that in our informal interactions. We use nicknames and partial names and sometimes keep our names to ourselves. Social networks need to grasp these nuances. And those trying to limit our behaviors and squeeze our potential should just back off.

According to this piece in Digital Trend, LinkedIn has “opted” 100 million of us into sharing private information within advertisements. This includes posting our names and photos as advertisers’ helpers.

“When a LinkedIn user views a third-party advertisement on the social network, they will see user profile pictures and names of connections if that connection has recommended or followed a brand. Any time that a user follows a brand, they unwittingly become a cheerleader for the company or organization if it advertises through LinkedIn.”

And in case that doesn't surprise you, how about this:

“In order to opt out of social advertising, the LinkedIn user has to take four steps to escape third-party advertisements:

“Hover over the user name in the top right hand corner of any LinkedIn page and click ‘Settings’. On the Settings page, click ‘Account’. On the Account tab, click ‘Manage Social Advertising’. Uncheck the box next to “LinkedIn may use my name, photo in social advertising.” and click the save button.”

What a mistake.

I know there are many who think that if Facebook can take the huddled masses to the cleaners, why shouldn't everyone?

It seems obvious that the overwhelming majority of people who participate in Facebook are still a few years away from understanding and reacting to what they have got themselves into.

But Linked In's membership is a lot more savvy about the implications of being on the site – and why they are sharing information there. Much of their participation has to do with future opportunities, and everyone is sensitive about the need to control and predict how they will be evaluated later in their career. Until yesterday I for one had been convinced that Linked In was smart enough to understand this.

But apparently not. And I think it will turn out that many of the professionals who until now have been happy to participate will choke on the potential abuse of their professional information and reputation – and Linked In's disregard for their trust.

My conclusion? Linked in has just thrown down the gauntlet and challenged us, as a community of professionals, to come up with safe and democratic ways to network.

This much is obvious: we need a network that respects the rights of the people in it. Linked In just lost my vote.